New data reg: 4 things all cloud providers need to know

EU FlagUPDATE 2/7/15: Go visit the updated article.

The new EU General Data Protection Regulation is on its way. The EU Parliament approved the text in March. The new EU Commission president has recently given a time scale of 6 months to conclude negotiations with member states. Some reckon it won’t be in force until 2017. Others say it could be as early as next year.

Cloud providers – are you ready?

1. Cloud providers will be caught directly

New obligations will extend to cloud providers as “data processors”. While the primary obligations will still fall on the customer as “data controller”, cloud providers will have to maintain certain documents and cooperate with the supervisory authority.

2. Mandatory breach notification

If you leak or lose customer data, the customer will not be able to keep silent and will have to notify the supervisory authority. Customers will be keen to ensure they don’t have to notify by ensuring the provider keeps the data secure in the first place. But if there is a problem, expect them to name and shame you. Of course, some providers must notify under existing regs.

3. Massive fines

Fines for the most serious breaches could be up to 5% of global turnover. Data breaches could become very expensive all of a sudden. Customers are likely to seek reassurances from providers and may look to get them to carry this loss if they are the cause. Expect contract wrangling on this point.

4. Data Protection officer

The customer will have to appoint someone as their data protection officer and inform its users of who that is. In turn they may ask the provider to nominate someone to answer data protection queries. This need not be a new role but providers should be prepared to give someone the responsibility.

++

There’s more. Such as the need to register with only one body across the whole EU rather than, potentially, all of them. There’s also the real “right to be forgotten” that will be enshrined in law, not just the halfway house one under the Google case. Again, these will primarily fall on cloud customers who store data with you. Customers may also scrutinise more closely whether the provider is truly data protection compliant and not just using Safe Harbor as a pretty but useless badge.

I suggest you get ready for the changes now while there’s still time.

Advertisements

4 thoughts on “New data reg: 4 things all cloud providers need to know

What's your view? Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s